Corporate eFax message - 2 pages - fake efax with virus

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Email

Fake eFax Corporate by J2 email claims you have received an x page fax message and it is either attached or on a website with the provided link.

Versions with attached exe in zip trojan, attached malicious html file, or links to malware sites hosting drive-by downloads or exploit kits.

Spoofs efax.com or others in From headers.


Subject: eFax Corporate

Subject: Corporate eFax Message - x pages

Subject: Corporate eFax message from "957-467-6746" - 4 pages

Subject: Corporate eFax message from "unknown" - 3 page(s)

Subject: Corporate eFax message from "788-595-6734" - 3 pages

eFax Corporate

You have received 1 pages fax at 2013-06-24 10:24:18 CST.

* The reference number for this fax is latf1_did11-1498393985-2394295345-38.

Please visit www.efaxcorporate.com/corp/twa/page/customerSupport
if you have any questions regarding this message or your service.
You may also e-mail our corporate support department at corporatesupport @mail.efax.com.

Thank you for using the eFax Corporate service!
Powered by j2
j2 Global | eFax | eVoice | FuseMail | Campaigner | KeepItSafe | OneBox

2013 j2 Global, Inc. All rights reserved.
eFax Corporate is a registered trademark of j2 Global, Inc.

FAX_089081322_3199.zip (137k)

Picture of fake J2 Global Corporate eFax email with virus attached.

Subject:  Corporate eFax message from "536-968-3449" - 4 pages

Fax Message [Caller-ID: 536-968-3449]

You have received a 4 pages fax at 2014-01-04 04:44:44 EST.

* The reference number for this fax is latf1_did11-1748977804-3054029554-28.

View this fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this
message or your service.

Thank you for using the eFax service!
Home | Contact | Login |

2013 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

   FAX_6291741_7941724.zip (11)

Picture of the April 2014 version of the fake j2 global corporate efax email with malware.

Fax Message [Caller-ID: 788-595-6734]

You have received a 3 pages fax at 2014-14-05 03:33:33 EST.

* The reference number for this fax is latf1_did11-1334905931-4278108620-91.

Download attachment with the fax using your PDF reader.

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding
this message or your service.

Thank you for using the eFax service!
Home | Contact | Login |

2014 j2 Global Communications, Inc. All rights reserved.
eFax is a registered trademark of j2 Global Communications, Inc.

This account is subject to the terms listed in the eFax Customer Agreement.

 Headers samples:

Sometimes they don't bother spoofing at all. Sometimes they spoof efax.com in From headers, something else like aexp.com in envelope headers.

Received: from host-108-32-220-24.midco.net [24.220.32.108]
X-Envelope-From: fraud @aexp.com
From: eFax Corporate <message @inbound.efax.com>
Subject: Corporate eFax message from "845-457-8996" - 2 pages

Received: from s72-38-236-247.static.wavedirect.net [72.38.236.247]
X-Envelope-From: fraud @aexp.com
From: "eFax Corporate" <message @inbound.efax.com>
Subject: Corporate eFax message from "567-739-3338" - 1 pages

Received: from mail.markusduschek.com [109.73.50.150]
X-Envelope-From: web5 @markusduschek.com
From: "eFax Corporate" <web5 @markusduschek.com>
Subject: Corporate eFax message from "658-958-2222" - 2 pages

Received: from mail1.roiltd.co.uk [84.19.44.74]
X-Envelope-From: fraud @aexp.com
From: eFax Corporate <message @inbound.efax.com>
Subject: Corporate eFax message from "788-593-5645" - 3 pages

Received: from 174.141.120.4.nw.nuvox.net [174.141.120.4]
X-Envelope-From: fraud @aexp.com
From: "eFax Corporate" <message @inbound.efax.com>
Subject: Corporate eFax message from "567-383-7764" - 3 pages

Received: from ABTS-mum-static-192.96.169.122.airtelbroadband.in [122.169.96.192]
X-Envelope-From: fraud @aexp.com
From: eFax Corporate <message @inbound.efax.com>
Subject: Corporate eFax message from "786-559-3883" - 4 pages

Variations:

Subject Line "Efax Corporate".

Attachment "EFAX_Corporate.htm" and the htm has javascript redirects to malicious websites.

Subject Line "Corporate eFax message from "576-555-5364" - 17 page(s)" with random phone number and number of pages.

Subject Line "Corporate eFax message - 1 page(s) fax message, caller ID: 231-744-2544" with random phone number and number of pages.

Sometimes, instead of an attachment, there will be a normal html link that looks like it goes to efaxcorporate, but really goes to some phishing or malicious code website.

Alternate layout, usually for the malware link variation:

Picture of fake J2 Global Corporate eFax email with malware links.


Attachments and Links

Virus Attachment variation:

9 July 2014

 chd_did8-55761798157-27768463314-110.zip containing fax_message.exe

VirusTotal report 

Malwarebytes 	Trojan.Downloader
Qihoo-360 HEUR/Malware.QVM07.Gen

"#upatre" --matthewm

Malwr.com report 

Starts servers listening on 0.0.0.0:0
Performs some HTTP requests
Steals private information from local Internet browsers
Installs itself for autorun at Windows startup

HTTP GETs:
94.23.247.202 /0907ver/HOME/0/51Service%20Pack%203/0/
94.23.247.202 /0907ver/HOME/1/0/0/

Anubis report 

Comodo report 

Deletes self
Injects code into other processes

x3po.awardspace.com /images/VER103.pdf <-- not pdf files
shop.negro-rhygass.ch /css/VER103.pdf

12 June 2014

latf1_did11-881721-86461.zip containing latf1_did11-881721-86461.scr | VirusTotal report | Malwr.com report | Anubis report 

1 April 2014

FAX_6291741_7941724.zip containing FAX_6291741_7941724.exe | VirusTotal report | Malwr.com report | File-Analyzer.net report 

20 February 2014

VirusTotal report File-Analyzer.net report

5 November 2013

VirusTotal report | Malwr.com report

HTML file attachment variation:

Attachment is a .htm file that uses javascript to redirect to malicious download websites like:

 ighjaooru.ru port 8080 / forum/ links/ column.php

Malware Link Variation:

Links to compromised websites like:

00002nd.rcomhost.com /outgoings /index.html
ftp.noroncomas.com /ables /index.html
revivifyministries.com /provably /index.html
capcityasc.com /bruise /index.html
der-schafscherer.de /chroming /index.html
attorneymcbride.com /onetime /index.html
lapergolita.com.ar /hiked /index.html
tvassist.co.uk /positioned /index.html
thewarrealm.org /squint /index.html
attorneymcbride.com /periods /index.html
www.aprasys.com /nuns /index.html
thewarrealm.org /equity /index.html
94.32.66.54 /domes /index.html
der-schafscherer.de /gnaw /index.html
volvoclub.gr /misunderstands /index.html
westchesterrent.com /veeps /index.html
bizwebtechnologies.com /foremasts /index.html
tvassist.co.uk /cultivators /index.html
1954f7e942e67bc1.lolipop.jp /delusions /index.html
ftp.noroncomas.com /fillips /index.html
00002nd.rcomhost.com /evens /index.html
westchesterrent.com /billfold /index.html
westchesterrent.com /outstrips /index.html
1954f7e942e67bc1.lolipop.jp /frisian /index.html
qubitech.com.au /pardon /index.html
www.onmangekoi.mes-sites.com /mildness /index.html
attorneymcbride.com /funded /index.html
tvassist.co.uk /eigenvalue /index.html
revivifyministries.com /bantamweights /index.html

Each loading 3 javascript files like:

ekaterini.mainsys.gr /overspreading /hermaphrodite.js
sisgroup.co.uk /despairs /marveled.js
psik.aplus.pl /christian /pickford.js

Which redirects to something like:

buyfranklinrealty.com /topic/ regard_alternate_sheet.php

 Which runs, usually, some java exploit like Black Hole v2 Exploit Kit.

If this was at least a little helpful, how about a +1 or a Like?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity